Accepted by security professionals that any network can be compromised eventually.
Trends:
Increasing number of attacks
Year-on-year increases
Increasing sophistication of attacks
What was sophisticated yesterday is easy today – integrated into e.g. Metaspoilt
Multiple approaches
Evade detection – average time from penetration of PCE to detection = 18 months
Energy is a high value target (59% of attacks reported in 2013 to US DHS)
Energy specifically targeted
Not if but when
A companies customers depend on them delivering consistently and reliably
In order to do that a company needs its production operations to operate 24 x 7
Those production operations depend on automation systems to operate 24 x 7
Process security focuses on ensuring safe, reliable and secure operations
Energy companies form part of the critical Energy infrastructure of countries and a major contributor to those countries economies
PCE security matters to a companies success
A PCE security incident can impact a companies customers and, potentially, has safety, environmental, financial & reputation impacts
People – Process – Technology
Journey
When we look at foundational security this is typically fulfilled by organisations aligning to security good practice. At LM we are certified to ISO27001 at an enterprise level and also over 25 IS&GS programmes also have ISO27001 certification.
There are many ways to represent foundational security and here I have broken this down into overarching security elements which are the dark blue boxes and then (left hand side) end point and (right hand side) network security which are shown inside.
Foundational security is essential to manage risk from broad-based adversaries such as cyber criminals, Hacktivists, hackers and less sophisticated adversaries.
Essentially we are in a position where we can buy COTS products, supplemented by good security policies and education and awareness to manage threat actors.
If only this was enough to manage the threat from the sophisticated top 20% of adversaries.
Using intelligence to look for the needle in the haystack or needle in the needle stack.
Cut through all of the noise to spot characteristics of sophisticated threats and insider threats.
You want to identify potential threats early and plot course accordingly!
Using the Titanic analogy……. there were plenty of warning to avoid the ice berg before disaster struck!
High level talking point -- Tracking campaigns is enormously beneficial. We are not trying to stop 1s and 0s, we are trying to stop people, so I need to understand how and when people operate.
The principle goal of campaign analysis is to determine the patterns and behaviors of the intruders, their tactics, techniques, and procedures (TTP), to detect “how" they operate rather than specifically “what" they do. The campaign heatmap allows us to quickly hone in on which adversaries are active over a particular timeframe and understand when and how they attack. The use of the heat-map has been important to understanding what triggers an APT attack (i.e. new zero-day vulnerabilities, or other significant events). This allows us to assess our defensive posture on a campaign-by-campaign basis, and based on the assessed risk of each, develop strategic courses of action to cover any gaps.
We can also tell the difference between an adversary that targets us every month, vs one that targets us periodically. For example, if there are a number of consecutive months of activity but then a conspicuous gap, that might mean something was missed or the adversary changed their TTP’s.
The heatmap allows us to identify periods during the year that are traditionally busy or periods where multiple adversaries are all active at once. This enables us to ensure that staff is on hands at that and/or plan to deploy very aggressive mitigations as there is little room for error.
CYBER KILL CHAIN services becomes a model for actionable intelligence when defenders align enterprise defensive capabilities to the specific processes an adversary undertakes to target that enterprise. Typically, “Defense-in-Depth” just means “more is better than less”. With CYBER KILL CHAIN services we have a smarter measure of depth by having defensive options across the full spectrum of the defense lifecycle. If you're just "adding more", you could just be layering defense at one part of the defense lifecycle while deficiencies elsewhere go unnoticed.
Cyber Kill Chain™
Detect
Deny
Disrupt
Degrade
Deceive
The matrix depicts courses of action (detect, deny, disrupt, degrade, deceive) across all phases of the defense lifecycle. This matrix depicts in the exploitation phase, for example, that host intrusion detection systems (HIDS) can passively detect exploits, patching denies exploitation altogether, and data execution prevention (DEP) can disrupt the exploit once it initiates. Illustrating the spectrum of capabilities defenders can employ, the matrix includes traditional systems like network intrusion detection systems (NIDS) and firewall access control
lists (ACL), system hardening best practices like audit logging, but also vigilant users themselves (THE I CAMPAIGN ™) who can detect suspicious activity.
The key here is Resiliency. One mitigations breaks the chain, but 7 mitigations make you resilient. Even if the adversary changes 6 things, your one mitigation still wins. There is no inherent advantage to an aggressor in cyber; launching a successful intrusion requires a lot of things to happen just right. The problem is that most defenders don't know how to correctly control and defend their environment. If you have control of your environment, and understand your threats, you can build resilience.
The reason we have multiple D's is that defenders can make intelligence gain vs loss trade offs. By blocking something (Deny), you may tip your hand to the adversary. They may know precise what they need to adjust to bypass your defenses. (i.e., you block my IP, I'll just use a different one). Instead, if you're able to Deceive them, you may be able to collect additional information from the adversary. All of this is new information for you to use for new defenses.
Classic example is if I give you an IP address that sends malicious email. If you block that, the adversary knows immediately what mitigation you put in because they can tell their connections are failing. However, what have you gained as defender? All you can see is a bunch of dropped SYN packets on your firewall. Yes you've gained the security that that
particular IP can't send anything to you. But, you know nothing further. If the adversary switches to a new IP, would you be able to detect it? Instead, by deceiving, and allow the full email to enter into your network, but blocking it before it goes to the user, you now know a tremendous amount of information.
We measure success by framing metrics in the context of the cyber kill chain. Metrics of resiliency are generated by measuring the performance as well as the effectiveness of defensive actions against the intruders. This allows us to plan investment roadmaps to rectify any capability gaps. Fundamentally, this approach is the essence of intelligence-driven CND: basing security decisions and measurements on a keen understanding of the adversary. Because we always complete the kill chain, we can also show which capabilities further down were relevant. This is important because often times when leadership makes a big investment in a security tool, they might ask "what has it done for us?". Sometimes, we're good at blocking activity before it reaches that new system, but if we can show that it is relevant to the problems we face, it enables us to demonstrate its value.
LM’s unique Cyber Kill Chain approach drives the way we do analysis for incident response. Regardless of the stage the attack has progressed, our team of analysts works to recreate all steps of the attack. We use a combination of forensic images, host, and network logs to understand how the adversary initially gained access to the client’s environment and then progressed through the attack.
Where others may encounter road blocks, our analysts will leverage our expansive knowledge bank of observed APT Tactics, Techniques, and Procedures (TTP) to identify additional areas for investigation. Our analysis methodology does not require the installation of any specific tools in a client’s computing environment. The LM team uses a combination of COTS and LM proprietary software to support the analysis of an incident.
Once a client’s internal Incident Response (IR) team engages LM analysts, our analysis process is executed as follows:
- Conduct a kickoff meeting (face-to-face or via conference call) with LM and the client to discuss the initial facts and decide any immediate remediation actions.
- Pull forensic images of affected assets and provide to LM analysts.
- During the analysis, LM analysts will collaborate with the client’s Incident Response team for any additional data, recommendations, or suggested immediate remediation's.
The results of the analysis are packaged into a final report and presented to the client.
By breaking an intrusion into multiple steps, we have multiple opportunities to recover from that threat. Our effort is best spent on three priorities: detection, additional visibility, and process improvement. Based on the TTP observed during a given incident, we work with the client’s incident response team to integrate new detections into the client’s current security architecture. This will ensure the client has the maximum amount of protection at all steps of the Cyber Kill Chain. This includes additional detections in current tools or enhancements to existing processes (e.g. Patching). Our experience has shown that TTPs can shift slightly between attacks, but having defenses at multiple steps greatly reduce the chance a future attack will be successful. We will also identify recommendations for tools or processes to provide additional visibility to remediate any information gaps observed during the previous incident. This includes identifying additional log sources that could be reconfigured to provide context into the progression of an attack. This information can be crucial in streamlining the next investigation or providing the visibility required to properly recreate an incident.
Lastly, we treat each intrusion as a learning experience and an opportunity for improvement to better understand and recognize the TTPs of an adversary. Each intrusion is also an opportunity to examine current client processes to seek improvement.